Overview

overview

7

Static

static

3

PlayStation.exe

windows7-x64

7

PlayStation.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    21s
  • max time network
    25s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2023 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PlayStation.exe

  • Size

    4.8MB

  • MD5

    fb049d70b56c8edad8246e41546db8bd

  • SHA1

    f02c296d7bdf0042ff659c51aa8148703c430eb6

  • SHA256

    d0421b25e316db606840821ea866c401ea86c74351b2389d94d3e4bffd8490cd

  • SHA512

    5a47f8df412703647692c6b0b3b17a58d5a94662ee974f3bc745674b1fa5940ca3e7a0be286746bc0b770b8644aa0631dcdde7711dedbc44142971958a1e5b22

  • SSDEEP

    98304:cEbcGOIs0z87c8NykySN5wI+cu23ksxlSZfmxgNXxcl7QO+P/I0Fy59XM7aQH7c:cJIsG87c8NykvP3bxlSZkgNXxNP/Ijxp

Score
7/10
agilenet

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Obfuscated with Agile.Net obfuscator 3 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PlayStation.exe
    "C:\Users\Admin\AppData\Local\Temp\PlayStation.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo Debugger Detected && timeout /t 5"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Windows\system32\cmd.exe
        cmd /C "color b && title Error && echo Debugger Detected && timeout /t 5"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\system32\timeout.exe
          timeout /t 5
          4⤵
          • Delays execution with timeout.exe
          PID:1308
    • C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" /s /t 10
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1496
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\PlayStation.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\system32\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • Runs ping.exe
        PID:616
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1960
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1820

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\005A4F0E.dll
        Filesize

        1.2MB

        MD5

        c9d85c3085dc73b74366b6d8f4644cba

        SHA1

        780c045c53ef406e5c22cd583f9bc6d83e77d2b4

        SHA256

        097d2ea9acce50bec9d55d91ebbee60f6c5d9e705511852630dc2df440061c84

        SHA512

        2c9e3c42bbe73acbdea527f1c4a21ce59f19fd9c6c3e9412af10ea3f1f068eb47c8634f7bdcea29fcc898bfb78ca040e89b46823ff0c4a830bda0024bb68e6b6

        Download Submit
      • memory/1696-64-0x0000000000260000-0x0000000000270000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1696-59-0x000000001C430000-0x000000001C6D0000-memory.dmp
        Filesize

        2.6MB

        Download
      • memory/1696-61-0x0000000000750000-0x0000000000756000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1696-57-0x000000001BFA0000-0x000000001C020000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1696-63-0x0000000000260000-0x0000000000270000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1696-54-0x0000000000270000-0x0000000000746000-memory.dmp
        Filesize

        4.8MB

        Download
      • memory/1696-65-0x0000000000260000-0x0000000000270000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1696-66-0x000000001E100000-0x000000001E462000-memory.dmp
        Filesize

        3.4MB

        Download
      • memory/1696-67-0x0000000000B90000-0x0000000000BAA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1696-68-0x000000001F3E0000-0x000000001F7B6000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/1820-70-0x00000000026E0000-0x00000000026E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1960-69-0x0000000002840000-0x0000000002841000-memory.dmp
        Filesize

        4KB

        Download